Cisco Cisco Firepower Management Center 4000
C H A P T E R
31-1
FireSIGHT System User Guide
31
Configuring External Alerting for Intrusion Rules
While the FireSIGHT System provides various views of intrusion events within the web interface, some
enterprises prefer to define external intrusion event notification to facilitate constant monitoring of
critical systems. If you want to immediately notify a specific person of critical events, you can set up
email alerts to do so. You can also enable logging to syslog facilities or send event data to an SNMP trap
server.
enterprises prefer to define external intrusion event notification to facilitate constant monitoring of
critical systems. If you want to immediately notify a specific person of critical events, you can set up
email alerts to do so. You can also enable logging to syslog facilities or send event data to an SNMP trap
server.
Within each intrusion policy, you can specify intrusion event notification limits, set up intrusion event
notification to external logging facilities, and configure external responses to intrusion events.
notification to external logging facilities, and configure external responses to intrusion events.
Tip
Some analysts prefer not to receive multiple alerts for the same intrusion event, but want to control how
often they are notified of a given intrusion event occurrence. See
often they are notified of a given intrusion event occurrence. See
for more information.
There is another type of alerting you can perform in the FireSIGHT System, outside of your intrusion
policies. You can configure email, SNMP, and syslog alert responses for other types of events, including
intrusion events with specific impact flags, or connection events logged by specific access control rules.
For more information, see
policies. You can configure email, SNMP, and syslog alert responses for other types of events, including
intrusion events with specific impact flags, or connection events logged by specific access control rules.
For more information, see
.
See the following sections for more information on external intrusion event notification:
•
describes the options you can configure to send event data to
specified SNMP trap servers and provides the procedure for specifying the SNMP alerting options.
•
external syslog and provides the procedure for specifying the syslog alerting options.
•
describes the options you can configure to send
notifications of intrusion events by email.
Using SNMP Responses
License:
Protection
An SNMP trap is a network management notification. You can configure the device to send intrusion
event notifications as SNMP traps, also known as SNMP alerts. Each SNMP alert includes:
event notifications as SNMP traps, also known as SNMP alerts. Each SNMP alert includes:
•
the name of the server generating the trap
•
the IP address of the device that detected it
•
the name of the device that detected it